Apple's AirDrop & Wi-Fi password sharing features can potentially expose critical ID data
Wireless features like AirDrop and Wi-Fi password sharing on iPhones, Macs, and other Apple devices can expose exploitable data, according to a recent report -- but there are two easy solutions.
The technologies broadcast a partial cryptographic (SHA256) hash, which can be used to obtain details like an iPhone's phone number or a Mac's static MAC address, said security outfit Hexway. The underlying issue is data packets sent through Bluetooth Low Energy (BLE), which for all Apple devices transmit information such as name, OS version, battery status, and whether Wi-Fi is on.
This is often innocuous and necessary, but could be used by some parties to track people or launch a more serious attack. In one short video, Hexway demonstrated an AirDrop-based exploit that allows someone to send an SMS message to a target.
Attackers may also be able to send their own BLE requests and disguise themselves as devices like AirPods, or force target hardware to share a Wi-Fi password.
The issue is present on all iOS devices from iOS 10.3.1 onwards, Hexway said, though products prior to the iPhone 6s are only sending a limited number of messages instead of a continuous stream. Regardless, the only way of completely mitigating the threat is turning off Bluetooth, which may not be worth it -- especially for people with accessories that depend on wireless, such as headphones or an Apple Watch.
"This behavior is more a feature of the work of the ecosystem than vulnerability," Hexway commented.
Much of this vector of attack is inherent to the BLE protocol, but AirDrop and similar sharing standards slightly expose the vector. It's recommended that Apple users lock down AirDrop as much as they can by setting it to "Contacts Only," or disabling it entirely, since strangers might otherwise be able send harassing images and other files.
The attack is still mostly a targeted one, and most users won't have to worry. There is no evidence that this vector is currently being exploited.
The technologies broadcast a partial cryptographic (SHA256) hash, which can be used to obtain details like an iPhone's phone number or a Mac's static MAC address, said security outfit Hexway. The underlying issue is data packets sent through Bluetooth Low Energy (BLE), which for all Apple devices transmit information such as name, OS version, battery status, and whether Wi-Fi is on.
This is often innocuous and necessary, but could be used by some parties to track people or launch a more serious attack. In one short video, Hexway demonstrated an AirDrop-based exploit that allows someone to send an SMS message to a target.
Attackers may also be able to send their own BLE requests and disguise themselves as devices like AirPods, or force target hardware to share a Wi-Fi password.
The issue is present on all iOS devices from iOS 10.3.1 onwards, Hexway said, though products prior to the iPhone 6s are only sending a limited number of messages instead of a continuous stream. Regardless, the only way of completely mitigating the threat is turning off Bluetooth, which may not be worth it -- especially for people with accessories that depend on wireless, such as headphones or an Apple Watch.
"This behavior is more a feature of the work of the ecosystem than vulnerability," Hexway commented.
Much of this vector of attack is inherent to the BLE protocol, but AirDrop and similar sharing standards slightly expose the vector. It's recommended that Apple users lock down AirDrop as much as they can by setting it to "Contacts Only," or disabling it entirely, since strangers might otherwise be able send harassing images and other files.
The attack is still mostly a targeted one, and most users won't have to worry. There is no evidence that this vector is currently being exploited.
Comments
Whether or not they do depends mainly on: How hard they are willing to work based on the value of the prize versus how hard it is to get in, and, the relative difficulty compared to somebody else's system.
Personally, when it comes to personal security, I really wish Apple didn't have any phone numbers show up for calls and texts on the lock screen before the device is authenticated with a passcode after a restart. I find these numbers a lot more revealing than some name I've put in, like Bob.
This trend of being obsessed with the exposure of data that is not meaningful in the least is incredibly obnoxious and needs to die.
Tomorrow's headline: COMPANY CREATES GIANT BOOK OF EVERYONES NAME AND PHONE NUMBER AND MAILS IT TO EVERYONE! OUTRAGE CANNOT BE QUELLED!
But, when receiving a call not displaying the name and phone number is silly.
If you want to say you don’t want iMessage (etc) to display on a locked phone, there’s some sense to that. There’s probably an option somewhere (or should be) to turn that off.
Very true. Police are now exploiting this on locked iPhones. They'll call from whatever phone number may make your case look bad and use it as "evidence".